purecrypter | 6872346b1b51a9e0c9442fb7d4d03969af3ce7e60c1014fab0f35d8e5ca10417

General

Target

AtmosphereLauncher.exe
Size

715.8MB
MD5

94b94d3d540398b7a5a3336d70d50194
SHA1

ceb17e1848c814f65722b6a4a546f9cb0aedd1d4
SHA256

6872346b1b51a9e0c9442fb7d4d03969af3ce7e60c1014fab0f35d8e5ca10417
SHA512

bc78d150768cb49dba1a84d18bec356ed7c6f997aa60dc815578a664ee76eeca643841944998b7059a1821fa1157c96201fd38461e23c0c36ae635fea6b3e5dc
SSDEEP

1536:Frae78zjORCDGwfdCSog01313pmIs5gf6s1POTQCcdxNqHHzs9lReMbP:LahKyd2n315s5c6s12TQ1NqHHzs9veML

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Extracted

Family

purecrypter

C2

https://www.franceconsobanque.fr/wp-admin/images/css/design/fabric/bo/Sjbgpxzi.bmp

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 1 IoCs

pid	Process
1444	travelpeov.exe

Loads dropped DLL 5 IoCs

pid	Process
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe
1864	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	AtmosphereLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AtmosphereLauncher.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	1444	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	travelpeov.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1444	2012	AtmosphereLauncher.exe	27
PID 2012 wrote to memory of 1444	2012	AtmosphereLauncher.exe	27
PID 2012 wrote to memory of 1444	2012	AtmosphereLauncher.exe	27
PID 2012 wrote to memory of 1444	2012	AtmosphereLauncher.exe	27
PID 1444 wrote to memory of 1864	1444	travelpeov.exe	28
PID 1444 wrote to memory of 1864	1444	travelpeov.exe	28
PID 1444 wrote to memory of 1864	1444	travelpeov.exe	28
PID 1444 wrote to memory of 1864	1444	travelpeov.exe	28

C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1188
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

Filesize
362.4MB

MD5
cfdca7d646a938c27e6dee83ac0c1278

SHA1
51dc726080be9c64f29dc1360d30fbbd475e99c0

SHA256
c486efdb22b932a3cd04fa60965ad053b824c241e676863c0d430f2b601443b9

SHA512
48c1ede8bfaf4c1c073a3720039db7671100578941ad7d71909887742d5f79badee7a82d4e29bb2d621f8446e92758cf1f03aa3d865f0e1207459d94e598d8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

Filesize
362.4MB

MD5
cfdca7d646a938c27e6dee83ac0c1278

SHA1
51dc726080be9c64f29dc1360d30fbbd475e99c0

SHA256
c486efdb22b932a3cd04fa60965ad053b824c241e676863c0d430f2b601443b9

SHA512
48c1ede8bfaf4c1c073a3720039db7671100578941ad7d71909887742d5f79badee7a82d4e29bb2d621f8446e92758cf1f03aa3d865f0e1207459d94e598d8e3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

Filesize
209.1MB

MD5
2719e362a6ae6072fc69750f4448ffb7

SHA1
13b2cb0230cbc82b20633bb97630c7fa1a849d8d

SHA256
9259f5bcc3206ae406993262f368898d5c6fc18aea4148bed9eceb0755cccfc8

SHA512
fdf4a47c14d9009a2ef51d125e99e3b2982cf44bfb44fa45b0ee39a661dc00e1e7b049a93c426dbd5e3b635b6e0fb4bb60670868ea07c2d695f96781d7b770f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

Filesize
215.4MB

MD5
0cdd6f30c6ee817e93df3007f10b7e6a

SHA1
a1420de73a64ca8022442aed32ab552c50251e4e

SHA256
8f30fd8b082175f6fdd042cd403b39afc0cf68daddf9e1f431ee55d3d9e91f05

SHA512
2dbc921674c95cba3ecba9797a08bae6db9d2acc47c99e7b0648a83da87808e4179444908a9c416c13fce7b761b9adcd989a700d6571de1b1260708b8771c915

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

Filesize
213.1MB

MD5
403c0272eba716f90109eb6b098d397c

SHA1
841c09e13477909302335a2af9087c2af301b4a5

SHA256
a522db582ec5b302b11e26e39dd56b9d397576c3f0948a73e10459d869604628

SHA512
2fef9a92742f0d4a98a934b3078fac0c027f754e70b5833929f64744b0cd8324ac26027f4d4b8397bdd101ee490bbc7849cebbf1cf783b659fcfdded007de806

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

Filesize
216.2MB

MD5
13e6f41ab50cb51148fb16723bb679c5

SHA1
345e922fa031acf47df7ce8697e6e7bcb62ccb32

SHA256
a825ecc0c97c41ae0d1e793b8b2a89c5f924f3c7442ff28a27d6daae89c9c3a7

SHA512
f6a18e09d83f08c3e68111a4a1f213db0a5f21f5a393803b7ab96a47d0ca836539062181f50619b722eae70f0e4f8ad01489c04b5227981615df9795c3d5818c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

Filesize
193.2MB

MD5
2928f4a10f1a824d26f56052accd9926

SHA1
93af9c82a7dedef40f3ab1b1a6a414210d90c192

SHA256
125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a

SHA512
4bd74f377bbd9ab41dd5fe0448a2d77e062a795b6e30a5961e2b62c70d5f1c35a470fe9a7cdbc313f40f8fbda086935e02677ba05213689bcec3b58eef5ea3e2

Download Submit
memory/1444-57-0x00000000010E0000-0x00000000010E8000-memory.dmp

Filesize
32KB

Download
memory/1444-58-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing